diff options
Diffstat (limited to 'docs-xml/smbdotconf/security/security.xml')
-rw-r--r-- | docs-xml/smbdotconf/security/security.xml | 109 |
1 files changed, 2 insertions, 107 deletions
diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml index 74ea569b86..2575d77b99 100644 --- a/docs-xml/smbdotconf/security/security.xml +++ b/docs-xml/smbdotconf/security/security.xml @@ -11,34 +11,18 @@ Samba and is one of the most important settings in the <filename moreinfo="none"> smb.conf</filename> file.</para> - <para>The option sets the "security mode bit" in replies to - protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide - based on this bit whether (and how) to transfer user and password - information to the server.</para> - - <para>The default is <command moreinfo="none">security = user</command>, as this is - the most common setting needed when talking to Windows 98 and - Windows NT.</para> + the most common setting, used for a standalone file server or a DC.</para> <para>The alternatives are <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain - </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para> - - <para>In versions of Samba prior to 2.0.0, the default was - <command moreinfo="none">security = share</command> mainly because that was - the only option at one stage.</para> + </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = server</command>, which is deprecated.</para> <para>You should use <command moreinfo="none">security = user</command> and <smbconfoption name="map to guest"/> if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. </para> - <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis> - hybrid mode</emphasis> where it is offers both user and share - level security under different <smbconfoption name="NetBIOS aliases"/>. </para> - <para>The different settings will now be explained.</para> @@ -65,8 +49,6 @@ the server to automatically map unknown users into the <smbconfoption name="guest account"/>. See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> - <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para> <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> @@ -94,93 +76,9 @@ the server to automatically map unknown users into the <smbconfoption name="guest account"/>. See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - <para>See also the <smbconfoption name="password server"/> parameter and the <smbconfoption name="encrypted passwords"/> parameter.</para> - <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> - - <note><para>This option is deprecated as it is incompatible with SMB2</para></note> - - <para>When clients connect to a share level security server, they - need not log onto the server with a valid username and password before - attempting to connect to a shared resource (although modern clients - such as Windows 95/98 and Windows NT will send a logon request with - a username but no password when talking to a <command moreinfo="none">security = share - </command> server). Instead, the clients send authentication information - (passwords) on a per-share basis, at the time they attempt to connect - to that share.</para> - - <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis> - uses a valid UNIX user to act on behalf of the client, even in - <command moreinfo="none">security = share</command> level security.</para> - - <para>As clients are not required to send a username to the server - in share level security, <command moreinfo="none">smbd</command> uses several - techniques to determine the correct UNIX user to use on behalf - of the client.</para> - - <para>A list of possible UNIX usernames to match with the given - client password is constructed using the following methods :</para> - - <itemizedlist> - <listitem> - <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other - stages are missed and only the <smbconfoption name="guest account"/> username is checked. - </para> - </listitem> - - <listitem> - <para>Is a username is sent with the share connection - request, then this username (after mapping - see <smbconfoption name="username map"/>), - is added as a potential username. - </para> - </listitem> - - <listitem> - <para>If the client did a previous <emphasis>logon - </emphasis> request (the SessionSetup SMB call) then the - username sent in this SMB will be added as a potential username. - </para> - </listitem> - - <listitem> - <para>The name of the service the client requested is - added as a potential username. - </para> - </listitem> - - <listitem> - <para>The NetBIOS name of the client is added to - the list as a potential username. - </para> - </listitem> - - <listitem> - <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames. - </para> - </listitem> - </itemizedlist> - - <para>If the <parameter moreinfo="none">guest only</parameter> parameter is - not set, then this list is then tried with the supplied password. - The first user for whom the password matches will be used as the - UNIX user.</para> - - <para>If the <parameter moreinfo="none">guest only</parameter> parameter is - set, or no username can be determined then if the share is marked - as available to the <parameter moreinfo="none">guest account</parameter>, then this - guest user will be used, otherwise access is denied.</para> - - <para>Note that it can be <emphasis>very</emphasis> confusing - in share-level security as to which UNIX username will eventually - be used in granting access.</para> - - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para> <para> @@ -221,9 +119,6 @@ the server to automatically map unknown users into the <smbconfoption name="guest account"/>. See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - <para>See also the <smbconfoption name="password server"/> parameter and the <smbconfoption name="encrypted passwords"/> parameter.</para> |